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/* TclIdSid 

* Scans an ascii line and finds an aecii SID. (no validation though) 

* Inputs : 

* lineoftext 

* Returns: 

* aecii bin^sid, if a sid is found it is returned. 



int TclIdSid (ClientDat a dummy, Tcl_Interp *interp, 

int argc, char **argv) 

{ 

char *eidp, *cp; 

int, erp -> result (0) » 0; 

if (argc !« 2) 
{ 

interp->reeult •» "wrong ft args"; 
rc turn TCL__ERROR ; 

) 

sidp = (char *) strstr (argvll] , 
if (sidp ~ NULL) return TCLjOK; 
cp = (char *) stretr {sidp+1, "/") ; 

if ((cp « NULL) && (strlen(sidp) ! = 19)) return TCLJDK; 

if C(cp - sidp) 1= 19) return TCL_OK; 

strncpy (interp- >result . eidp,l9) ; 

interp->result [19) - 0; 

return TCL__OK; 

) 



/* 

* Register commands vrith interpreter. 
*/ 

int SidSupInit (Tcl_tnterp *interp) 
{ 

Tcl_Creace Command (interp, "packsid" , TclPackSid. NULL. NULL); 
Tc l_Create Command ( int erp, u unpacksid M , TclUnpackSid, NULL, NULL) ; 
Tci^CreateCommand ( interp, "unpacksidnovalidate " , TclUnpackSidNoValidate , 
NULL, 

Tc l_Create Command ( interp, "issid", TclIdSid, NULL. NULL); 

return TCL_OK; 

1 
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* compute_ihash -- 

* Compute the MDS liash for the specified string, returning the hash as 

* a 32b xor of the 4 hash longwords. 

* Results : 

* hash int. 
* 

* Side effects: 

* None . 

* „ _ ^ 

*/ 

int corap-ut.e_ihash (char *str) 

{ 

«D5_CTX md5; 
unsigned char hash [16); 
unsigned int *pl; 
unsigned int hash! & 0; 

MDSInit(&md5) ; 

MD5Update (Sands , str, etrlen(str) ) ; 

MDSPinal (hash, fcmd5) ; 

pi * (unsigned int *) hash; 

hashi - *pl++; 
hashi ~= *pl-*-+ ; 
hash! A = *pi-f+; 
hashi *pl++; 
return hashi; 

) 

/* 

* ticket. c -- 
* 

* Commands for TICKET. 

-A 

* Copyright 1995 by Open Market , Inc. 

* All rights reserved. 
* 

* This file contains proprietary and confidential information and 

* remains the unpublished property of Open Market, Inc. Use, 

* disclosure, or reproduction is prohibited except as permitted by 

* express written license agreement with Open Market, inc. 
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* Steve Morris 

* morrisaOpenMarket.com 
* 

* Created: Wed Mar 1 1995 

* $Source: /omi/proj/nu^ter/omhttpd/Attic/ticket. c, v $ 
*/ 

#if ldefined(lint) 

static coast char rceid[) ="$Header: /omi/proj /master /omhttpd/ At tic /ticket . c, v 
2. 

#endif /*not lint*/ 

# include <etdio.h> 

# include <sys/utsname .h> 

H include "httpd-h" 

# include w md5 . h" 

ft include " ticket. h • 

static TICKET^Server TicketServerData j 
/* 

* This file implements all the ticket/sid related functions for the server. 

* The region commands RequireSID and xxxxx can be used to limit 

* access to groups of files based on the authentication of the requestor. 

* The two commands are very similar, and only differ in the method used to 

* present the authentication data (via the URL) and in handling of the 

* failing access case. For failing TICKET'S, a "not authorized" message is 

* generated. For failing (or absent} SID's, a REDIRECT (either local or via 

* CGI script) is performed to forward the request to an authentication 
server. 

* RequireSID domainl Idomain2 . . . domainn] 
* 

* This command denies access unless the specified properties are 

* true of the request. Only one RequireSID or xxxxjc command can 

* be used for a given region, though it may specify multiple domains. 

*/ 

static int 
static int 
static int 



ProcessRequires (ClientDaca clientData, Tcl_lnterp *interp, 

int argc, char **argv, int flavor) ; 
DomainNameCrad (ClientData clientData, Tcl_Interp *interp, 

int argc, char **argv> ; 
GetDomain <char *domname, Lnt dflt) ; 
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static char *GetAsciiDomain(char *domname, char *dflt) ; 

static int caraputer_ihash(char *str) ; 

static char * computer Rash (char *str) ; 

static char *GetSecret (int kid) ; 

static int GetKidByKeyID(char *keylD) ; 

static char *CreateSid(HTTP_Request *reqPtr, int dam, int uid, int kid, 

int exp, int uctx) ; 
static void f reeTicketReqData(void *dataPtr) ; 
static void DurapStatus {HTTF__Re quest *reqPtrJ ; 

static void TICKET_DebugHooks{ClientData clientData, char *suffix, 

HTTP_Request *reqPtr> ; 
static int ParseS id (HTTP_Requect *reqPtr) ; 
static int ParseTicket (HTTP_Request *reqPtr) ; 
static char *f ieldParse (char *etr, char sep, char **endptr) ; 
void TICKET^Conf igCheck() ; 
void DumpRusage ( HTTP_Reque s t * reqP t r ) ; 



* TICKET_RequireSidCmd 
* 

* Checks that the requested URi* is authorized via SID to access this 

* region. If the access is not authorized and vre do not have a "remote' 1 

* authentication server" registered, then an "unauthroized message * 

* is returned. If a "remote authentication server" has been 

* declared, we REDIRECT to that server, passing the requested URL and 

* required domain's as arguments. 
* 

* Results: 

* Normal Tel result, or a REDIRECT request. 

* Side effects: 

* Either an "unauthorized access" message or a REDIRECT in case of 
error . 



*/ 

static int TJCKET_RequireSidcmd (Client Data clientData, Tcl_lnterp *interp, 

int argc , char * *argv) 

{ 

if (TicketGlohalData {EnahleSidEater} ) return TCL_OK; 
return<ProcessRequires(clientData, interp,argc, argv, ticketsid)) 
) 
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* Process Required 
* 

* Checks that the requested URL Is authorized to access this 

* region. The error cases are treated differently for SID v.s. TICKET. 

* Por Ticket's, an unauthorized access generates a returned error 
message . 

* For SID's, we first look to see if we are operating in "local 
authentica 

* mode", if we are, we generate a new SID, into the URL and re-process 
the 

* If not in "local* mode, we look for the presence of a 
retno teau thent i cat i 

* server, if we have one declared (in the conf file) we REDIRECT to it 
pas 

* the FULL url and a list of domains that would have been legal. If 
the 

* authentication server was not found we return an error message. 
* 

* Results : 

* Normal Tel result, a local reprocess command, or a REDIRECT request:. 
* 

* Side effects: 

* Either an "unauthorized access" message or a REDIRECT in. case of 
error . 

# 



*/ 

static int ProcessRequires (Client Data clientData, Tcl_Interp *interp, 

int argc, char **argv, int flavor) 

{ 

HTPP_Request *reqPtr - < HTTP_Reqeust *) client Data; 

HTTP_Se rve r * se rve rPt r ; 

TICKET_Requeet *ticketPtr ; 

DString targetUrl; 

DString escapeUrl; 

int i, required_dom; 

int f irstLegalDom - -i ; 

char *HewSid, *cp,* 

DStringlnit (fittargetUrl } ; 
DStringlnit (fceecapeUrl) ; 

/* fetch the server private and ticket specific extension data */ 
servcrPtr = reqPtr«=>8erverPtr ; 

ticketPtr = (TICKET_Request *1 HT_GetReq Ext Data (reqPtr . 
TicketServerData .tic 

ASSERT (ticketPtr != NULL); 
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/* compare the requesting SlD/Ticket<DOM> to authorized list of domains */ 
/* a match OR any valid domain and a required domain of TicketFreeArea is 

BU 

for (i « 1; i < argc; 
{ 

requi red__dom - GetDotua in < argv ( i ) - 1 > ; 
i f ( requi red_dom I * - 1 ) 
{ 

if (f irstLegalDom == -1) f irstLegalDom = required_dom; 
if ( ( ticket Ptr->sidDom ~~ required_dora) | | 

(ticketPtr->valid && (ticketPtr->sidDom I- -l) && 
(required_dom == TicketGlobalData (PreeArea) ) ) || 
( (ticketPtr->ticketDom *== required^ dom) fc& 
(time(O) <e ticketPtr->ticketBxp) && 
( (DStringLength<&ticketPtr->ticketIP) -« 0) || 

Cstrcmp(DStringValue(StticketPtr->ticketIP) , DStringValue ( treqPtr- 

>r 

) 

{ 

DStringFree ( ttarge tUr 1 ) ; 
OStringPree (fcescapeUrl) ; 
return TCLjDK; 
} 

} 

) 

/* count the number of domain crossing that caused re-auth */ 

if ((flavor ticketsid) && ( ticket Ptr->sidDom) i= -l) I ncTicket Counter (Cou 

/* authorization failed, if this was a sid url, and local auth is enabled */ 
/* or this was an access to the free area */ 

/* insert a new sid in the url, and REDIRECT back to the client 8? 
if (TicketGlobalData (Enable Local Auth) | | 

( (f irstLegalDom « TicketGlobalData (PreeArea) ) 

&& (flavor on ticketsid) && (f irstLegalDom != -1))] 

i 

if ( (DStringLength (fcreqPtr->url) i- 0) && 

(DStringValue(treqPtr->url) [03 '/')) 

{ 

HTTP_Error (reqPtr, NOT_FOUND, "access denied due to poorly formed url") ? 
DStringFree ( fctargetUrl) ; 
DStringFree ( &escapeUrl) ; 
if ( ! ticketPtr->valid) 

DStringFree (fiticketPtr- >sid) ; 
return TCL_RETURN ; 

} 

Newsid = Creates id (reqPtr, 
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f irstXegalDom, ticketPtr->uid, 

TicketGlobalData (CurrentSecret ) , TicketGlobalData (LocalAutnBxp) 

ticketPtr- >uctx> ; 
DStringFree (&ticketPtr->sid) ; 
DStringAppend(fcticketPtr->sid, NevSid, -1) ; 

ComposeURL (reqPtr, DStringValue ( fcreqPtr- >url ) , ttargetUrl) ; 

IncTi cketCounter (CountLocal Redirects ) ; 

HTTP_Error * reqPtr , REDIRECT , DS tringvalue ( ttargetUrl ) ) ; 

DStringFree (fctargetUrl) ; 

DStringFree (fceecapeUrl) 

if (! ticketPtr- >valid) 

DStringFree (&ticketPtr->sid) ; 
return TCL_RETORN ; 

} 

authorization failed, build the REDIRECT URL arg'e. * / 
/* If present, REDIRECT to authentication server */ 

if ((DStringLength(&TicketGlobalData(AuthServer)) != 0) {flavor » ticket 
{ 

if ( (DStringi,ength{&reqPtr->url> !» 0) && 

(DStringValue(fitreqPtr->url) [0] 1- */')) 

< 

HTTPJ2rror{ reqPtr, NOT_FODND. "access denied due to poorly formed url n ) ; 
DStringFree (fctargetUrl) 
DStringFree { tescapeOrl) ; 
- if (!ticketPtr->valid) 

DStringFree <&ticketPtr->sid> ; 

return TCL_RETURN ; 
} 

DStringAppend(&taxgetUrl, DStringValue UTicketGlobalData (AuthServer) > , -l) 
DStringAppendt&targetUrl, •?url=". -1> ; 

CotnposeURL ( reqPtr # DStringValue (treqPtr- >url) , fiescapeUrl) 
EscapeUrl (tescapeUrl) ; 

DStringAppendt&targetUrl. DStringValue (fcescapeurl) , -i) ; 
DStringAppeal <&targetUrl, " &domain= • , -1) ; 
DStringTrunc t&escapeUrl , 0) ; 
DStringAppend t&escapeUrl, "{ = , -1); 
for (i = l; i <. argc; i + +) 
I 

cp - GetAsciiDornain*argv [i] , NULL); 
if (cp != NULL) 
{ 

DStringAppend (&escapeUrl, cp, 

DS t ring Append ( &e s capeUrl , « • , -1); 

) 

) 
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DStringAppend (&escapeUrl , * } " , -1) ; 
EecapeUrl (ScescapeOrl) ; 

DStringAppend <&targetUrl , DStringValue ( tescapeUrl ) , -i) ; 
DStrxngFree (6escapeUrl) ; 

HTTP_Error(reqPtr, REDIRECT, DStringValue (ttargetUrl) > ; 
IncTicket Counter (CountRemoteRedirects) ; 
DStriagFree(&targefcUrl) ; 
if ( ! ticfcetPtr- >valid) 

DStringFree(&ticketPtr->sid) ; 
return TCL_RETORN,- 

} 

/* authorization failed, if this is a ticket access, decode the */ 
/* reason and handl via a redirect to a handler, or punt a */ 
/* no access message */ 

if ((flavor — ticketTicket ) (f irstl/egalDom -l) && (ticketPtr->ticketD 
I 

/* check For IP address restrictions */ 

if < <DStringl*5ngth(&ticketPtr->ticket IP) !« o) && 

(DstringUength(&TicketGlobalData(TicketAdrHandlerl ) r= o) && 

(strcmp (DStringValue (&ticketPtr->tieketIP> , DStringValue (&reqPtr->remo 

{ 

DStringAppend (&targeturl, DStringValue (fcTicket Global Data (TicketAdrHandle 
DSt ring Append (fittargetUrl, DStringValue (fitticketPtr- >fields) , -1); 
DStringAppend ( &targe tUrl , « &ur 1 - " , - 1 ) ? 

DStringAppend ( fitargefcUrl , DStringValue (&reqPtr->url) , -1) ; 
incTicketCounter(countTicketAddr) ; 

HTTP_Error(reqPtr, REDIRECT, DStringValue (& targe tUrl ) ) ; 

DStringFree(ttargetUrl) 

return TCL_RETURN ; 

> 

/■* check for expired tickets */ 
if Ctime(O) > ticketPtr- >ticketExp) 
{ 

DStringAppend (fctargetUrl, DStringValue (ScTicketGl obalDat a (TicketExpHandle 
DStringAppend (fttargetUrl, DStringValue (fcticketPtr- >f ie Ids} , -I) , 
DStringAppend (ttargetUrl, "turls", -l) ; 

DStringAppend <&targetUrl, DStringValue (fcreqPtr - >url) , -D ; 
IncTicketCounter (CountExpiredTicket) ; /* 

HTTP^Error (reqptr , REDIRECT, DStringValue (ttargetUrl ) ) 
DStringFree (ttargetUrl) ; 
return TCL_RETORN; 
} 

} 
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/* no handler, punt a message */ 

HTTP_Error(reqPtr, FORBIDDEN, "access denied by Require ticket /sid region 

CO 

IncTicketCounter (CountNoRedirects) ; 

if < 1 ticketPtr- > valid) 

ds tr ingFree (&ticketPtr->sid) ; 

DS tr ingFree ( fctargetUrl ) ; 

DS t ringFree ( &es capeur 1 ) ; 

return TCLi__RET0RN ; 

} 

/* 

+ » fc _ . 

* 

* Get (As cii) Domain 

* These routine performs an ascii to binary domain name lookup, 

* indexed by 'key') from the server's domain name catalog. Name/number 

* pair's are loaded into the catalog at configuration time with the 

* with the "Domain" configuration command. The Ascii version returns 

* a pointer to a character string that represents the domain number. 

* The non Ascii version returns an integer representing the domain number 
* 

* Results : 

* Integer value of domain. If no domain is available, returns deflt. 

* - 

* Side effects: 

* None . 



static int Get Domain (char *domname, int deflt) 

{ 

HashEntry *entryPtr; 
DString DomName; 

DStringlnit (&DomName) ; 

DString Append { tDomName , domname , - 1 ) ; 
strto lower (DStringValue (tDomName) ) ; 

entryPtr = FindHashEntry ( tTicketServerData . Domains. 
DStringvalue(&DoraName) ) ; 
DS t r ingFree ( &DomName ) ; 
if (entryPtr == NULLr) return deflt; 
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return (int) GetHashValue (entryPtr) ; 

} 

static char * GetAsciiDomain (char * domname , char *deflt) 

{ 

HashEntry *entryPtr; 
static char buffer [64] ; 
DString DoroNarne; 

DStringlnit ( &DomName ) ; 
DStringAppend (DomName , doomanie, -1) ; 
s trtolower (DStrincfValue (fiDotnNaioe) ) ; 

entryPtr - FindHashEntry (&TicketServerData. Domains, 
DString Value ( fcDottiNanie) ) ; 
DString Free (tDomName) ; 
if (entryPtr == NULL) return deflt; 

sprintf (buffer, "td" , (int) GetHashValue (entryPtr) ) ; 
return buffer? 

} 

/* 

*■ - - ^ . „ , _ 

* 

* TICKET_InsertLocalSid 
* 

* Given a URL, inspect it to see if it refers to the local server/port 

* if it does, and it does not already contain a SID, insert one if 

* the current request included one. Note, for port 80 access we look 

* for a match with and without the port specifier. 
* 

* Results : 

* None . 
* 

* Side effects : 

A SXD may be inserted into the URL. 

* 

* _ . ^ , . 

*/ 

void TICKET_InaertLocalSid(HTTP_Request *reqPtr, DString *result) 
{ 

KTTP_S erve r *serverPtr; 
TICK£T_Request *ticXetPtr; 
char trap (32] ; 
DString patternl; 
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DString pattem2 # - 

DString tinp_url; 

DString *hitPattem * NOLL; 

ticketPtr = (TICKET_Request *) HT_GetReqExtData (reqPtr, 
TicketServerData . tic 

if (ticketPtr -«= NULL) return ; 
serverPtr = reqPtr->serverPtr ; 

DStringmit<&patternl) ; 
DStringlxxit (&pattern2) ; 
DStringlnit (&trop_url) ; 

DStringAppend (tpattenxl, «http:// tt , -i) ; 

DStringAppend { fcpatternl , DStr ingValue ( tserverPtr->serverName) , - 1 ) ; 
DSC ring Append ( &pattern2 . DStringValue ( fcpat ternl) , - 1) ; 
sprintf (trap, " : Vd* , serverPtr- >server_port) ; 
DStringAppend (&patternl, trap, -i) ; 

if ( (DStr ingLrength< result) >~ DStringLength (tpatteml) ) && 
(strncasectnp (DStr ingValue (fcpatternl) , DStringValue (result) , 
DStringLengt hitPattem « tpatteml; 
else 

if ( (server PTR-->server_port == 80) 

(DStringLength (result) >= DStringLength (&pattern2 ) ) && 
(strncasecrap (DStringValue (&pattern2) ( DStringValue (result) . 

DStringLength hitPattem + &pattern2; 

if (hitPattem I ~ NULL) 
{ 

DStringAppend <&tinp_url, DStringValue (hitPattem) , -i ; 
DStringAppend (tmp_url , DStringValue (&ticketPtr- >sid) , -1) ; 
DS tringAppend ( strap url , fcDStringValue ( result ) 
[DStringLength (hitPattem) 3 , 
DStringFree (result) 

DStringAppend ( result , DStringValue ( &tmp_url ) , - 1 ) : 
DStringFree (&tmp_url 5 ; 
} 

DStringFree (&patcerni) ; 
DStringFree (&pattern2) ; 
DStringFree («ttmp_url) ; 

) 

/* 
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* CreateSid 
* 

This routine takes the passed arguments and creates a sid. 

* 

* Results: 

* A sid. 

+ 

* Side effects : 



char * creates id (HTTP_Request »reqPtr, int dom, int uid, int kid, int exp, 
int uctx) 
{ 

int bsid[3l « {u,0,o} ; 
char temp_str [512] ; 
DString hash; 
int act_hash; 
static char sid [64] ; 
unsigned int expire_time; 
char *secret;) 
char *hasnP; 
char *cp; 

unsigned char *ecp; 
unsigned int eda; 
int endian - 1; 

DStringlnit (fchash) ; 
expire^time =time(0) + exp; 



put_sid (dom_lw, 
put_ sid {uid_lw, 
put_sid (kid_lw , 
put_s id ( exp_lw , 



dora_pos , 
uid_pos , 
kid^pos, 
esp_pos , 



( exp i r e_t ime > >exp_s hf fc_arat ) ) 

put_sid (uctx_lw, uctxjjos, 
put_s id ( rev_lw , r evjpos , 



domjuask, 
uid_mask, 
kid__mask, 
exp_mask, 

uctx_mask, 
rev mask, 



dom) 
uid) 
kid) 



uctx) ; 

sid_rev zero) 



secret = GetSecret (kid) ; 

ASSERT (secret i « NULL) ; 

DS t ring Append (fchash, secret, -1) 
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DS tringAppend { &hash , DS tringValue ( fcreqPtr- >reraoteAddr ) , - 1 ; 

sprintf (terop_str, « *08x%08x«, bsid[2] ,bsid[ll ) ? 

DStr ingAppend ( &haah , tempos tr , - 1 ) ; 

/* format: of the hash string is ±3*G*0Bx*0&x n t 
secret, ip_addr,baldt2 {,tosidll 

hashp « DStringvalue (&hash) ; 

act_ha.sh = coragpute_ihash(hashP) ; 

while (*hashP ! = o) *hashP++ = 0; 

DStringFree (fchash) ; 
/* fix_endian(&act_hash, ecp, eda) ; */ 

.put — sid(sig_lw, sig^pos, sig_raaek, act_hash) 

/* fix_endian(&bsid[Ol , ecp, eda); */ 
fix_endian(fcbsid[l] , ecp r eda) ; 
fix_endian*&bsid(2] , ecp, eda); 

#if (1 0 

Dumps id { ) ; 
#endif 

cp & radix£ 4encode^nosl ash < (char *) bsid, 12); 

strcpy<sid, SIDjprefix) ; 

strcafc(sid, cp) ; 

free (cp) ; 

return (sid) ; 

} 

•* . _ . „ m 

* 

* compute^hash - - 
+ 

* Compute the MD5 hash for the specified string, returning the hash as 

* a 32 b jcor of the 4 hash longwords . 
* 

* Results : 
hash int . 



* Side effects : 
Hone. 
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*/ 

static int compute_ihash (char *str) 
{ 

MD5CTX radS; 
unsigned char hash[16] ; 
unsigned int *pl; 
unsigned int hash! = o ; 

MDInit <&md5) ; 

MDUpda te { &md5 , (unsigned char *) str, strlen(str) ) ; 

MDFinal (hash, &md5} ; 

pi «= (unsigned int *) hash; 

hashi - *pl«-4-; 
hashi +PI4-+; 
hashi *pl++ ; 
hashi *pl++ ; 
return hashi; 

/* 



* computeHash 
* 

* Compute the MD5 hash for the specified string, returning the hash 

* a 32-character hex string- 

* Results : 

Pointer to static hash string. 

* 

* Side Effects: 

* None . 



static char * computeHash ( char *str) 

{ 

int i 

MD5_CTX mdS; 
unsigned char hash [161; 
static char hashstr[33] ; 
char *q; 
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MDSInifc(&mdS> ; 

MD 5 Update ( &md5 , (unsigned char *) str, strlen(sfcr) ) 
MDSFinal (hash, &md5) ; 
q = hashstr; 
for(t«0; i<16; i++ { 

sprintf (q, • %02x" , hash (i] ) ; 

q += 2; 

} 

*q - '\0'; 
return hashstr; 



/* 



* TICKET_ParseTicket 

■* Called by dorequest , before any region commands or mount handlers 

*• have run. We parse and handle income ing sid' s and tickets. 

* 

* Results: 

* None . 
* 

* Side effects: 

* , , _ 

*/ 

int TICKET_ParseTicket (HTTP_Request *reqPtr> 

{ 

int status - HT__ OK; 
IncTicketCounter (Count Tot alUrl) ; 



status = ParseSid(reqPtr) ; 

if (TicketGlobalData (EnableTicket) && (status « KT_OK) ) status = 
ParseTicke return status; 

} 



# 

* ParseSid - 
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* Called by TICKET_ParseTicket , before any region commands or mount handle 

* have run. We parse and handle income ing eid'e. 
* 

* Results: 

* None . 
* 

* Side effects: 




% 



int Parses id <HTTP_Regue st *reqPtr> 
{ 

TICKEKT_Requeet *ticketPtr; 
HTTP_ Server *serverPtr; 
DString hash; 
Int i; 

char *cp, *cpl; 

int +bsid~NULL, act_hash,- 

uneigned int cur_tim, tdif, exp_tim ; 

char *secret; 

char teit5)_str{5i2] ; 

char *haehP; 

int sid_ ok ~ 0/ 

unsigned char *ecp; 

unsigned int eda; 

int endian » 1; 

inc ipl, ip2 # ip3 , ip4 ; 

/* fetch the server private ticket extension data */ 

/* note that this sets up a default ticket block for both SID' s and Ticket a 
serverPtr « reqPtr->aerverPtr ; 

ticketPtr = (TICKET_Request *) HT_GetReqExtData {reqPtr, TicketServerData . tic 
ASSERT (ticketPtr «== NULL) ; 

ticketPtr - <TICKET_Requeet *) Malloc (sizeof (TICKETJtequest ) ) ; 

HT_AddReqExtData(reqPtr, TicketServerData . ticketBxtensionld, ticketPtr, free 

DStringlnit <fcticketPtr->ravuxl> ; 

DStringlnit <&ticketPtr->sid) ; 

DStringlnit < tticketPt r- >f ields) ; 

DStringlnit (&TicketPtr->signature) ; 

DStringlnit (&TicketPtr- >ticketIP) ; 

ticketPtr- >valid = 0; 

ticketPtr- >sidDom . -l ; 

ticketPtr->fcicketDom - -1- 

ticketPtr->ticketExp * -l; 

ticketPtr- >\aid =s o 
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Ticket Ptar->uct3C = 0 ; 

sscanf (DStrin^alue(&reqPtr->reraoteAddr) , "%d.%d. %d. td- , «tipl, £tip2, fcip3 , & 
ticketPcr->uid « ( ( (ipl+ip2) «24) | ( ( i P 3+ip4) «16) [ (randO & OxFFFF) ) ; 
ticketPfcr->uctx = 1; 

/* we are done if aids are not enabled, or this url does not have a sid */ 

if ( l (TicketGlobalData(EnableSid) ) ) return HT_OK? 

cpl « DStringValue (&reqPtr->url,- 

if (strstr(cpl, SID prefix) 1 «= cpl) 

return HT_OK; 
if (sfcrlen (cpl) «« sidLength) 

t 

DS txingAppend ( fcreqPfc r- >ur 1 , • / " , - 1 ) / 
DS tr ingAppend ( &reqPt r - >pa th , p / ■ . - 1 ) : 
cpl = DSt ringVa lue < StreqPt r - >ur 1 ) ; 
} 

cp «* strchr (cpl+sizeof (SID_j>ref ix) t '/' ) ; 
if ( (cp - cpl) sidLength) 

return HT__OK; 
IncTicketCounter ( Counts idUrl ) ; 

DSfcringlnit (&hash) ; 

/* if sid eater is enabled, rewrite the url without the sid, and reprocess t 
if (TicketGlobalDat (Enables idEacer) ) 
{ 

DS tr ingAppend (thash, DStringValue t fcreqPtr->url) , -1) ; 
DS t ringFree ( regPtr- >url ) ; 

DStringAppend(&reqPtr->url, DStringValue (&hash) &hash) *sidLength, -1) 
DStringTrunc(Schash, 0) ; 

DStr ingAppend (&hash, DStringValue (treqPtr- .path) . -1); 
DSt ringFree (fcreqPtr- >path> ; 

DStringAppend (treqPtr- >path, DStringValue (fchash) +sidLength, - 1 ) ; 
DSt ringFree (fchash) ; 

IncTicketCounter (CountDiscardedSidUrl) ; 
return HT_OK; 

} 

DStringAppend(&ticketPtr->sid r DStringValue (fcreqPtr- >url) . sidLength) ; 

/* first convert the SID back to binary*/ 
i = DStringLength(tticketPtr->sid) -3 ; 

bsid = (int •) radix64decode_noslash (DStringValue I &ticketPtr->sid) +3 , i, &i) 
iif ((bsid » NULL) || (i 1*12)) goto rtn_exit ; 

f ix_endian <Stbeid(0] , ecp, eda); 
f ix_endian(&bsid[l) , ecp. eda) ; 
f ix_endian (&bsidt2) , ecp, eda); 
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/* check the SID version field */ 

if (get_sid(rev_lw,revjpos,rev_raask) 1 « sid_rev_*ero> goto sid_b*d ; 
if (get_6id<rsrvl_lw,rsrvl jjos , rsrvl_mask) 1 - 0)) goto sid_bad,- 
if <get_sid(rsrv2_lw,rsrv2 _pos , rsrv2_mask) ! + 0) goto sid_bad; 

/* Get a pointer to the secret */ 

secret = GetSecret (get_sid(kid_lv, kidjoos.kid^roaek) ) 
if (secret « NULL.) goto sid_bad; 

/* hash the eid and check the signature*/ 
DStringftppend(&haeh, secret, -1); 

DStringAppend(fchash, DStringValue(treqPtr->remoteAddr> , 
sprintf (temp_etr, *t08xVO8x«« # bsid[23 ,beid(l] > ; 
dstringAppend(&hash, temp_str f -1) ; 

/* format of the hash string is trsVeVOflxIrOex" , secret , ip_addr, bsid [2 J , bsid [1 

hashP = DStringValue(&hash) ; 
act__haeh «= compute_ihash.(hashP) ; 
while (*haehP < ~ o) *hashP== 0; 
f ix_endian(fcact_ hash, ecp, eda) ; 

if <act_bash 1= get_sid(sig_lw, sig^pos, sigjuask) ) goto sid^bad; 

/* is is ok, may be expired, but good enough to id user */ 
ticketPtr->uiid » get_eid (uid_llw,uid_pos, uid_mask) ; 
ticketPtr->uctx « get _sid (uctx_lw,uctx_pos,uctx_mask) 

/* do the SID experation processing*/ 
cur_tim = (time (o) »exp_shf t_amt> & exp_mask; 
expp_tim t= get_sid(exp_ lv ( exp_pas ,exp_mask) ; 
tdif = (exp_tim - cur_cim) & Oxffff; 
if (tdif > OXTfff) 
{ 

IncTi eke tCounter (countExpSid) ; 

goto sid_exp; 

} 

/* sid is fine, save the sid state, update the url ' s */ 
ticketPtr->sidDom = get_sid{doro_lv. dom_pos.dom__mask) ; 
ticketPtr->valxd =» l; 
sid_ok = 1 ; 

IncTi eke tCoun t e r < Count Va 1 ids id ) ; 
sid_bad : 

if (l(sid_ok)) IncTi eke t Count er< Count Inval idSid ) ; 
std_exp : 

DStringAppend(&ticketPcr->rawUrl, DStringvalue UreqPtr- >path) , -l) ; 
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DStringTrunc(&reqPtr->path t 0) 

DStringAppend ( fcreqpfcr- >patli, DStringValue (&t icketPtr- >ravUrl ) ^sidiength, - 1 ) 
DStringTrunc (fitticketPtr- >rawUrl, 0) ; 

DStringAppend (&ticketPtr->rawUrl, DStringValue (fcreqPtr- >url) , -l) ; 
DStringTrunc (&reqPtar->url, o) 

DStringAppend (&reqPtr->url , DStringValue (&ticketPtr->ravUrl) +sidLength, -i) ; 

rtn_exit : 

DStringFree (fchash) / 

if (bsid 1» NULL) free(bsid); 

return HT_OK ? 

) 



* freeTicketReqData 
* 

* This routine frees the storage used by ticket specific request 

* data. 
* 

* Results: 

* None . 
* 

* Side effects: 

* Memory freed . 



;tatic void f reeTicketReqData <void *dataPtr} 
{ 

TlCKET_Request *ticketPtr = dataPtr; 
DStringFree t&ticketPtr- >rawUrl) ; 
DStringFree (fcticketPtr- >s id) ; 
DStringFree { tticketPtr- >f ields) ; 
DStringFree (&ticketPtr->signature) ; 
DStringFree <&ticketPtr~>ticket IP) ; 
EreelticketPtr) ; 
} 

/* 



GetSecrer. 



* Given a binary keylD, returns an ascii secret from the 
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* secrets store. 

* for untranslatable names, return NULL. 

* Results: 

* "I've got a secret, now you do too 1 * 
* 

* Side effects: 



V 

char *GetSecret (int kid) 
{ 

HaEhEtitry "entryPtr; 

entryptr + FindHashEntry (&TicketServerData .SecretsKid, (void *) kid) 
if (entryPtr == NULL) return NULL; 

return DStringValue ( { (DString *) OetHashValue (entryPtr) > • 
)* 



* GetKidByKeylD 
* 

* Given an aecii HeylD return the binary Key ID 

* for untranslatable names, return -l. 
* 

* Results: 

* "I've got a secret, now you do too" 
* 

* Side effects: 



* . 

int GetKidByKeylD (char *keyID) 
{ 

HashEntry *entryptr; 

entryPtr - FindHashEntry <*&TicketServerData. KeyiDc (void *) keylO) ; 
if (entryPtr « NULL) return -1; 
return (int) GetHashvalue (entry Ptr) . 
I 



/* 
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* fieldParse 
* 

* Given a string, a separator character, extracts a field up to the 

* separator into the result string. 

* Does substitution on '*XX' sequences, and returns the pointer to the 

* character beyond last character in '*endptr'. 
* 

* Results : 

* Returns a malloc'ed string (caller muet free) , or NULL if an 

* error occurred during processing (such as an invalid sequence) , 
* 

* Side effects: 

* None. 
* 

+ — . . . _ _ 

*/ 

#de£ine SIZE_INC 200 

statiic char *f teldParee [char *atr, char sep. char **endptr) 
{ 

char buf [3] ; 
char c; 

char *end, *data, *p; 
int maxlen, len; 



len *» 0; 

maxlen « SIZE_INC; 

p = data = ma Hoc (maxlen) ; 



* Loop through string, until end of string or sep character. 

V 

while (*str *str i« sep) { 



if (*str ( 

if { ! isxdigit (str< [1) ) || ! isxdigi t (str 12) ) ) { 
free (data) ; 
return NULL; 

1 

buf 10) = str (1) ; 
buf 11] * str [2) ; 

buf [2) = '\0' ; 

c « strtolfbuf , tend. 16) ; 
str += 3; 
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} else if(*str *»* ' + ') { 

C e ' ' ; 
Str++; 
} else 
c s *str+«-; 

*p++ - C; 

if (len maxlen) { 
maxlen SIZE_INC; 
data ^ realloc <data, maxlen) ; 
p - date + len; 

) 

) 

*p++ = *\0'; 
*endptr = str,* 
return data; 

} 



* DomainNameCmd -- 
* 

* A call to this routine, builds the ascii domain name 

* to binary domain name maping structure for a numeric domain. 

* Syntax is Domain number namel name Z name3 name . . . name_last 

* At least one name is required . The number is decimal and 

* can be any value except -1. -1 is reserved as a marker 

* for untranslatable names. 
* 

* Results : 

* Hone . 
* 

* Side effects: 

* Commands are validate, and entries added to the map 



*/ 

static int DomainNameCmd {ClientData clientData, Tcl_Interp *interp, 

int argc, char **argv) 

< 

int new. i; 

HashEnt ry * ent ryPt r ; 
int DomNumber; 
DString DomName; 
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if (argc <3) 
{ 

Tcl_AppendResult (interp. argv[o] , • directive: wrong number of n 
"arguments, should be V^X."", 
(char *) NULL) ; 
return TCLJBRROR; 
} 

DStringlnit (fiDotrtName) ; 

if ( ( (sscanf (argv[l] , "Vd", tDomNumber) 1 - 1 || (DoniNumber — -1))) 
{ 

Tcl_AppendResult (interp, argvtoi, w directive: 

"Domain number must be an integer, and not equal to -1" , 
value found was ",argvfl], 

(char *> NULL) ; 
return to TCL_ERR0R; 
) 

for (i = 2; i < argc; i++) 

{ 

DStringFree ( SeDotnNarae ) ; 
DStringAppend(&DomiNaroe, argvti) . -11; 
etrto lower (DS t r ing Va lue ( &DomNacue ) ) ; 

entryPtr - CreateKashEntry(&TicketServerData .Domains, DStringValue 

if (new o) 
{ 

Tcl^AppendResult (interp, argvlO] , " directive: 

"Duplicate domain name specified, ' " , argv[i}, "' n , 

(char *) NULL) ; 
return TCL_ERROR ; 
} 

SetHashVaLue(entryPtr. DomNumber) ; 
} 

DSt ring Free ( £cDomName> ; 
return TCL_OK; 



* SecretsCmd 
* 

* A call to this routine, builds kid to secrets table 
* 

* Results : 
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* None . 
* 

* Side effects: 

* Secrets are stored. 

* 

*/ 

static int SecretsCmd (clientData clientDate. Tcl_lnterp *iaterp, 
int argc, char **argv) 

< 

int newKid, newKeylD; 

HashEntry *entryPtrKid «= NULL, * entry PtrKey ID « NULL; 
int Kid; 

DString *dsptrKid; 

if (argc » =4) 
i 

Tcl_AppendResult (infcerp, argv[o), - directive: wrong number of « 

"arguments, should be \"4\ rt 

(char *) NULL) ; 
return TCL_ERROR ; 
) 



if (sscanf (argv[2] , "Vd n , fcKid) ! - 1) 
{ 

Tcl_AppendResult (interp, argvfo] , 

M directive: KeylD must be an integer", 
t value found was argv(2] , • , 

(char *) NULL) ; 
return TCL_ERROR; 
} 



entryPtrKid = CreateHashEntry UTicketServerData . Secret sKid, (void *) Kid, &n 
if (strlen(argv[i]>) 

entryPtrKeylD » CreateHashEntry UTicketServerData . Key 3D, (void ♦) argv(l), 
if [(newKid — 0 || ( [newKeyrD — 0) && strlen |argv[i] ) ) ) 
{ 

TcX_AppendResul t ( interp , argv [o) . 

11 directive: Duplicate Secret specified for KeylD 

argv{i) , 

(char *) NULL) ; 
return tclerror; 
} 

if (strlen (argv [a) ) > 
{ 

dsptrKld = (DString *) malloc (sizeof (DString) ) ; 
DStringlnit (dsptrKid) ; 
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DStringAppend(dspfcrKid, argv[3) , 

SetHashValue{entryPtrKid # dsptrKid) f 
} 

SetHashValue (entry PtrKey ID, Kid); 

return TCL_OK; 

) 



* TICKET_Initialize « 
■* 

* Calls all the necessary routines to initialize the ticket subsystem. 
* 

* Results : 

■* None . 

•* 

* Side effects r 

* Commands added to the region interpreter. 

* SID url catcher declared. 



int TICKET_Initialize<KTTP_Server &serverPtr. Tcl_Interp *interp) 
{ 

TicketServerData.ticketExtensionld - HT_RegisterExcension(serverPtr, 
"ticket 



InLtHashTable{&TicketServerD&ta.SecretsKid, TCL_ONE_WORD_KEYS ) ; 
InitHashTable<&TicketServerdata.KeyTD, TCL w STRlNG_KEYS) ; 
InitHashTable<firTicketServerData. Domains, TCL_STRING KEYS) ; 

/* initialize Server ticket data */ 
DStringlnit (^TicketGlobalData (AuthServer) > ; 
DStringlnit (^TicketGlobalData (TicketExpHandler > > 
DStringinic{&TicketGlobalData (TicketAdrHandler) ) ; 



TicketGlobalData (FreeArea) » o ; 

TicketGlobalData [EnableLocalAuth) 0; 

TicketGlobalData (CurrentSecret) = o ; 

TicketGlobalData (EnableSid) » o; 

TicketGlobalData (EnableTicket) * o ; 

TicketGlobalData iSoableSidEater) - 0; 

TicketGlobalData (LocalAuthExp) = 60*30 ,- 



/* ticket event counters */ 
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TicketGlobalData (CountTotalUrl) 
TicketGlobalData (CountSxdUrl ) 
TicketGlobalData ( Count ValidS id) 
TicketGlobalData ( Count ExpS id) 
TicketGlobalData (CountlnvalidSid) 
TicketGlobalData (CountCroesDooiain) 
TicketGlobalData (CountLocalredixects) 
TicketGlobalData ( CountRemoteRedirecte ) 
TicketGlobalData [CountUoRedi recta) 
TicketGlobalData (CountDiscardedSidUrl ) 



0 



0 



0 



0 



0 



0 



0 



0 



0 



0 



/* Ticket related Config commands */ 
Tc l_cre a ceconaaan d ( int erp , "Domain", 



Doma inNameCmd , 



(Client Data) serverPtr, NULL) ; 
Tcl_CreateCoramand ( interp , " Secrets ■ , 

(ClientData) serverPtr, NULL) ; 



SecretsCmd, 



Tcl_CreateCoromand ( interp „ ■ AutnenticationServer ■ , CmdSt ringValue . 

(ClientData) &TicketGlobalData(AuthServer) , NULL) ,- 
Tcl_CreateCommand( interp, *TicketBxpirationHandler* , CmdSt ringValue, 

(ClientData) &TicketGlobalData(TicketBxpHandler) , NULL) ; 
Tcl_CreateCommand ( interp , "Ticke tAddressHandler" , OndSt ringValue , 

(ClientData) &TicketGlobalData(TicketAdrHandler) , NULL) ; 
Tcl_CreateCommand ( interp , "FreeDomain" , Cmdlnt Value , 

(ClientData) &Ti eke tGlobal Data (PreeArea) , NULL); 
Tcl__CreateCommand (interp, "EnableSidEater* , CmdlntValue, 

(ClientData) &TicketGlobalDaca(EnableSidEater) , null) ; 
Tcl_CreateCommand (interp, "EnableSid" , CmdlntValue , 

(ClientData) &Ti eke t Global Data (Enables id) , NULL) ; 
Tcl_CreateCommand ( interp , " EnableTicke t ■ , CmdlntValue f 

(ClientData) &T i eke tGlobal Data (EnableTicket) r NULL) ; 
Tcl^CreateCororaand ( interp , •EnableLocalAuth" , CmdlntValue 

(ClientData) &T i eke tGlobal Data (EnableLocalAuth) , NULL); 
Tcl_CreateComraand( interp, "CurrentSecret" , CmdlntValue, 

(ClientData) ^TicketGlobalData (CurrentSecret] , NULL); 
Tc l_CreateCoraroand ( interp , * LocalAuthExp" , Cmdln tVa lue , 

(ClientData) &Ti eke tGlobalData (LocalAuthExp) , NULL) ; 

HT_AddMountnandler (serverPtr, (ClientData) NULL, TICKET_DebugHooks , 
"/bmiserver* , NULL) ; 

return HT_OK,* 
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* TICXET_Shutdown 

* Calls all the necessary routines to shutdown the ticket subsystem. 
* 

* Results: 

* None . 

* Side effects: 

* Memory freed 



void TICKET_Shutdown (HTTPJServer -serverPtr) 
{ 

HashEntry *entryPtr; 
HashSearch search; 
DString *dstring; 

DStringFree<&TicketGlobalData(AuthServer) ) ; 
DStringFree(&TicketGlobalData(TicketExpHandler) ) ; 
DStringFree<&Tic)cetGlobalData(TicketAdrHandler) > ; 

entryPtr - FirstHashBntry (&Ti eke tServerData .Seer etsKid, tsearch) ; 
vhile (entryPtr 1 = NULL) 
{ 

dstring = GetHashValue (entry Ptr) ; 
DStringFree( dstring) ; 
free (dstring) ; 

entry Ptr « NextHashEntry&search) ; 
} 

De le teHashTabl e < &Ti eke tServerDat a . Secxe t sKid ) ; 
DeleteHashtable (&Ti eke tServerDat a. Key ID) ; 
DeleteHashTable (&Ti eke tServerDat a . Domains) ; 

1 

/* 



* TICKET_AddRegion Commands -- 
* 

Add TICKET region commands for authentication/authorization 

decisions . 

* Results: 

None. 
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* Side effects : 

Commands added to the region interpreter. 



void T I CKET_AddReg ion Commands (HTTP_Request *reqPtr, Tcl__Interp *interp) 
{ 

Tcl_CreateConunand(interp, "Requires ID" , TICKBT_RequireSidCmd, 

(ClientData) reqPtr, NULL) ; 
Tcl_CreateCoTOnand(interp t "RequireTicket" , TICKET_RequireTicketCmd, 

{ClientData) reqPtr, NOLL) 

} 



/* 



* TICKETGetCGIVariables -- 
* 

* Add TICKET CGI variables to the CGI variable table . 
* 

* Results : 

None . 

* Side effects: 

Extends the CGI variable hash table. 



void TICKJET GetCGIvariables (HTTP_Request *req) 
{ 

TICKET Requeat * ticket Ptr - (TICKET_Request *) 
HT_GetReqExtData < req . Tickets 

/• 

* If there's no extension data, then we're not doing a ticket. Just 

return 

*/ 

if (ticketPtr — NULL) 
return) \ ; 
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if (DStringLength<fcticketPtr->ravUrl) ! = 0) 

HT_AddCGIPararaeter<req, " T ICKET_URL * , DStringValue (ficticketPtr- 
>ravUrl), FA 

if (DStringLength {fitticketPtr->sid) !» 0) 

HT_AddCGIParameter<req, -TICKET_SID* , DStringValue <&ti eke tPtr- 
>sid) , FALSE 

if (DStringLength<&fcicketPtr->f ields) 0) 

HT_AddCGIParameter (req. "TICKET^FIELDS", DStringValue {tti eke tPtr - 

>f ields) . 

if {DStringLength (&ticketPtr->signature) != 0) 

HT-AddCGIParamefcer <req, " TICKET_S IGNATURE " . DStringValue UticketPt r- 

>signa 

}/« 



* 

*TICKET_GetUrl 
★ 

* Return the orignal url (with sid) 

* Results : 

* The URI* . 
* 

* Side effects: 

None . 

* 



*/ 

char * TICKET_GetUrl (HTTP_Request *reqPtr) 
{ 

TICKET_Request *ticketPtr,- 

ticketPtr = <TICKET_Request *) 

HT_GetReqEactData<reqPtr, TicketServerData . ticketExtensionld) ; 
' if (tticketPtr !=NULL> && 

(DStringi^ngth(&ticketPtr->rawUrl) 0) ) 
return DStringValue { tticketPtr- >rawurl) ; 

else 

return DStringValue ( treqPtr- >url> ; 

} 



T ICKETConf igChe ck 



Perform late configuration checks 
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* ResulCS: 

* Side effects: 

* Possible message loged/printed. and program exit' d 



*/ 

void TICKET_Conf igCheckO 
{ 

HashEntry * entry Ptr; 
int kid; 

if ( (Ticket Glob alData (EnableSid) & -Oxl) !« 0) 
( 

LogMessage <UX5_ERR , "EnableSid must be 0 or 

exit (0); 

} 

if ( ! (TicketGXobalData (EnableSid) ) } return; 

kid = TicketGlc±»alData(CurrentSecret) ; 
if (kid && kid_mask) ! - kid) 
( 

LogMes sage (LOG- ERR ; "CurrentSecret Vd is invalid", kid) ; 

exit (0) ; 

} 

entryPtr » FindHashEntry < &T i eke tServer Data . SecretsKid, (void *) kid) ; 

if (entryPtr WJUU) 
{ 

LogMeseage { LOG_ERR ) f "No secret defined for CurrentSecret fcd", kid; 
exit (0) ; 

if ( (Ticket Global Data {Free Area) & -0x255) ! « 0) 
I 

LogMessage (log^err. "FreeArea must be between 0 and 255") ; 
exit (0) ; 

} 

if ( (TicketGlobalDaca(EnabXeSidTic)ccc) & -0x1) != 0) 
( 

LogMeseage (LOG ERR, "Enables idTicket must be 0 or 1") 

exit (0) ; 

) 
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if ( (TicketGlobalData(EnableTicket) & -0x1) !- 0) ; 
{ 

LogMessage(uoG_ERR, "BnableTicket must be 0 or 1«); 

exit<0> ; 

} 

if < (TicketGlobalData(EnableLocalAuth) & -OxiJ i «= 0) 
{ 

XiogMessage<LOG_ERR, "EnablLocalAuth must be 0 or l"); 
exit (0); 

J 

} 



* TICXETJDebugHooks 

* Check for debug hooks and execute if found. 

* Results : 

* None . 
+ 

* Side Effects: 

* None . 



*/ 

tatic void TICK£T_DefougHooks (Client Data clientData, char *suffix, 

HTTP_Request "reqPtr) 

{ 

if (scrcmp (suffix, "/cidcecstatus") »■ o) 
{ 

DumpStatue {reqPtr ) ; 
HT_FinishRequest (regPtr) ; 
return; 

1 

HTTP_Error<regPtr , NOT__FOUND, "access denied due to poorly formed url") 
HT_F in ishRe quest (reqPtr) ; 
return ; 
} 



* Dumps tat us -- 
* 

* Dump the server's ticket stat ' s 
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* Results : 

None . 

* 

* Side effects: 

* None . 
* 

* — , , 

*/ 

#define BUFSIZE 1024 

static void Dumps tatua (HTTP_Reque st * reqPtr) 
I 

HTTP_Server *serverPtr « reqPtr- >serverPtr ; 
char trap [BUFSIZE] , timeStr (BOFSIZE] ; 
struct utsname eysinfo; 
time_t uptime; 
int hours; 



KTTP_BeginHeader ( reqPtr , "200 OK) ; 

HTTP_SendHeader (reqPtr, " Content- type ; text/html-, NULL); 
HTTP__ EndHeader (reqPtr) ; 

HTTP_Send (reqPtr, "<:title>WebServer Ticket Status</title>«\ 

*<hl>webServer Ticket statue</hl> : , NULL); 

HTTP_Send(reqPtr # w <pxhr»<pxh2>Ticket Log</h2>\ "<p><pre>\n" , NULL) ,- 

sprintf (trap, ■ <b>*s : </h> *d\n", "Number of access " , Ticket 

HTTP_S end ( reqP t r , tmp, NULL) ; 

sprintf (trap, ■ <b>%s: </b> *d\n M . "Number of SID URL's • , Ticket 

HTTP_Send ( reqPtr, tmp , NULL) 

sprintf (tmp, « <b>*s: </b> *d\m, "Number of Valid SID's », Ticket 

HTTP) Send (reqPtr, tmp, NULL); 

sprintf (tmp, * <b>Vs: </b> Vd\n: , "Number of Expired SID's " , Ticket 
HTTP) Send (reqPtr, tmp, NULL) ; 

sprintf (tmp, « <b>Vs: </t» 5rd\n:. "Number of Invalid SID's Ticket 
HTTP ) Send ( reqPtr , tmp, NULL); 

sprintf (tmp, « <b>%s; </b> Vd\n : , "Number of XOomain accesses Ticket 
HTTP ) Send ( reqP t r , tmp , NULL ) ; 

sprintf (tmp, " <cb>*s: </b> Vd\n : , "Number of Local Redirects , Ticket 
HTTP) Send (reqPtr, tmp, NULL) ; 

sprintf (tnip, ■ cb>%s : </b> %d\n : . "Number of Remote Redirects Ticket 
HTTP) Send (reqPtr, tnip, NULL) ; 

sprintf (tnip, ■ <b>%s : </b* %d\n:. "Number of No Auth servers rt . Ticket 

HTTP_Send (reqPtr, trap, "</pre*", NULL) ; 

uptime =■ time (NULL) = serverPtr- >started; 
uname (fesysinf o) ; 
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striftime(timeStr, BUFSXZE, •VA, Vd-%b-*y *T" , 
localtitne (EerverPtr- >s tarted) ) • 

springf (tmp, "Server runing on <d>Vs</b> (*g *s) port Vd, has been up \ 
since Vs.<p> m , sysinf o.nodeaanie, sysinfo.sysname, 
sysinfo .release, eerverPtr->serverj)ort t timeStr) ; 
HTTP_Send< reqPtr, tmp, NULL) 7 ; 

sprintf (tmp, . " <b>Number of connections: </b> *d\n", 

serve rPtr->rxiimConnects) ; 
HTTP_Send (reqPtr. tmp, rt <pxpre>\n" , tmp, NULL) ; 
spxintf (tmp, « <b>Nurober of HTTP requests: </b> *d\n", 

HTTP_Send (reqPtr, tmp, B </prexp>", Null) s 

hours - max (uptime / 3600, l) ; 

sprintf (tmp, -This server is averaging <b>Vd</b> requests per hour.<p>", 

serverPtr- >numRe quests /hours ) ; 
HTTP_Send( reqPtr, tmp. NULL) ; 

Dump Ru sage (reqPtr) ,- 
/* DurapConnect ions ( reqPtr) / */ 

DNS_Dun£iStats ( reqPtr ) ; 

HTTP_Send ( reqPtr, » <pxhr><address> rt , DStringValue (&ht_serverSof tware) , 
* €■/ address >\n " , NULL) ; 

reqPtr ->done « TRUE ; 

) 

#undef BUFSI2E 



(60) 11-50 




26 



FIG. 1 



(61) 



11-5077 



[0 2] 



7*7 91f 



URL GET 



r 




•100 



L 



122 



120 



100. 



URL 
IRED I RECTI 



URL+ IP 



108 
/ 



URL 
REDIRECT 



h 5 >-*f ^ •> 3 > □ ^ 
URL + SID+LP 




122 



122 



L 



URL 
RED I RECTf 



I 



y^-^f/^ —loo 



200 



T 

100 



7 



100 



FIG. 2A 



(62) 



1 1 - 5 0 7 7 



[13 2] 



URL/SSG E T 



— 100 



n 



210 




214 



CHALLENGE 



^1 



2t6 




218 



222 



224 




222 



232 



200 



124 



3O0 



100 

i_ 



100 



100 









URL's 




RED I RECT 












S I DWju 




1 1 


















FIG. 


2B 


120 





(64) 



11-507752 



[04] 



CONTENT HOME PAGE 



http: // Conten1.com/homepage 



400 



ZJ>-r>"/l^ 3>r>72> 3yf>73. 3>f >74, 

/ -412a 

/- 412b 

3 > x > -y 8 . 3>fy79, D>f/y l o , 'j > y 2 v 

f 414 

n >t>"/ 1 U 3 >f>7 1 2 „ D>f>7l 3 . 3>f>7l 4 , 

412c— ^ 



http: //Content. com /advertisement 



H 410 
-408 

-402 



404 



-406 



FIG. 4 



(65) 



11-507752 



C05] 



URL: 



How to join 



http: //auth. com/ service/ nph- createacct .cgi 



1.77-X b%.— L. 



5 .^T / — A/ T K u x 



6. g^B (MM/DD/YY 



ISO BS J 

us 



FIG. 5 



(66) 



11-507752 



6] 



NUMB E RCjtff^ 



i 



I . " NUMBER" GET 



602 



— URL" CMS) REDIRECT 



^•5 'f T> h 



GET 



•601 



4. <<-i?mm 



CMS J — 603 



FIG. 6 



(67) 



11-507752 



uamwatm&] 



INTERNATIONAL SEARCH REPORT 



Inter wal Application No 

PCT/US 9S/07838 



A. O^KATON OP 'SUBJECT MATTER 

IPC 6 H04L29/D6 



According bp Imemwlaut Peur* Oaadfltaflon (IPC) or h> both national daadflcatfan and IPC 



B. FIELDS SEARCHED 



MiMmom otocumeiitiftm (earthed (datnficxtion system followed by damffcaciccj cymboii) 

IPC 6 H04L 



to the extent tbat such documents arc included in the adds searched 



Electronic data base ooasdtcd (twine tie utematiooal search (name of data bat* and, where poetical, search terms used) 



C. DOCUMENTS CONS [DEFIED TO BE RELEVANT 



Category* Citation of docaacnt. wvh indication, wtm appropriate, of a* rdcrant 



EP.'A.Q 456 920 (IBM) 21 November 1991 
see page 5, line 33 - page 7. line 13 



IEEE MULTIMEDIA, 

vol. 1, no. 1, 1994, COMPUTER SOCIETY US, 
pages 37-46, XPG0G440887 
see page 43, left-hand column, line 12 - 
right-hand colunn, line 25 

EP.A.O 645 688 (KPN NEDERLAND) 29 March 
1995 

see colurm 1, line 37 - col mm 4, line 20 
see figure 1 

-/-- 



Rdcrtrx «> ctaan No. 



1,10 

2.4-8 

3,9, 

11-44 

2,5 



6-8 



I"?] Pusher documents arc luted in foe «mlinuaton of boi C. 



|X \ Pdcnt fanuly nmnben arc lined in annex. 



* Special cathodes or died docunvens : 

*A* rtnmmrrt defining the scaerd ttmte afOw mrt which is not 

coftddti td to b« of particular tefcrance 
*B" earlier doenment but puhtisned on or after the mternahood 

{Zing date 

*L" document «hxck may throw doakts on priority daim(0 or 
wrtach is coed to extahUeh th« puhbcanon date ofrathcr 
eittaoa or other apedaj reason (aa ipactfied) 

"O* Annmn* refcrrina k> an oral c 

'P* document ptashdwd prier to fee 



ar tha tnwmatiooal AUac das* 
or priority date and doc in conflict with the anbcatrai but 



*X* ttKurnem of particular relevance; tht daimcd trtvenaan 
cannot be coeddcrtd novd or anoot be considered to 
involve an incentive rtep when the document « taken atona 



cannot be coesdered In involve an inventive fie? when [he 
rtontmmr u emmraned with o " 



later than tha priority data claimed 



aal 6tme< 



nxats, such enmhmtrion betna otntoux to a person dolled 
tattle an. 



of th« a 



e patent family 



Date of ttK actui comalcooo oi the mtemstional search 
27 January 1997 



Date ofnuioniof ttx h^cnunonal search report 



itling address of the ISA. 

European Patent Office, P.B. i&la Patendaan 2 
NL - ZZIO H V Rejattfjh 
TeL 31 .70) 34O.20*a Tt 31 651 epn ni. 
Far < + 340-5016 



Canosa Areste, C 



Fonn PCT/lSAvai 0 (etcwa etet) I9fl) 



(68) 11-507752 





INTERNATIONAL SEARCH REPORT 


lata «ul Appl 


jeattoa Mo 






PCT/US 96/07838 


C<CWttmaacD} DOCUMENTS CONSIDERED TO BE RELEVANT 


Category* 


Citation of document with indication, where appmptiate, of toe relevant prmgrr 


Relevant to cUnn Ncl 


Y 


IEEE NETWORK: THE MAGAZINE OF COMPUTER 
COMMUNICATIONS. 

vol. 9, no. 3. Nay 1995. NEW YORK US. 
pages 12-20. XP€G0595260 
A.K.CHOUDHURY ET AL: "COPYRIGHT 
PROTECTION FOR ELECTRONIC PUBLISHING OVER 
COMPUTER NETWORKS' 

see page 14. right-hand column, line 49 - 
page 16, left-hand column, line 18 




4 


A 


WO, A, 94 03959 (INTERNATIONAL STANDARD 

ELECTRIC CORP.) 17 February 1994 

see page 5, line 25 - page 9, line 12 




1-44 



farm PCT/I5A/210 (ratio attUtt of nmm sbftft) UiV 1999 



(69) 



1 1 - 5 0 7 7 



INTERNATIONAL SEARCH REPORT 

•afosmotiGa on patent family marten 


Inlet mal Application No 

PCT/US 96/07838 


Patent document 
cited in search report 


Publication 


Pittot (airily 
cicfnbcr(s} 


Publication 
date 


EP-A-456920 


21-11-91 


US-A- 5560GG8 


24-09-96 



JP-A- 3G09444 17-01-91 
JP-B- 7668426 28-06-95 



EP-A- 645688 


29-03-95 


ML-A- 


9301633 


18-04-95 


WO-A-9403959 


17-02-94 


DE-A- 
AU-A- 
DE-U- 


4239754 
4783193 
9216139 


03-02-94 
03-03-94 
18-02-93 



(70) 



11-507752 



(51) Int. Ci . 6 



F I 

H 0 4 L 9/00 
G0 6F 15/40 



H0 4L 12/54 
12/58 
29/08 



6 7 3 A 
3 1 0 C 



(81)tt£H 



E P (AT, BE, CH, DE, 



DK, ES, FI, FR, GB, GR, IE, IT, L 
U, MC, NL, PT, SE), AU, CA, D E , G 
B, IL, J P 



(72)fgBJ# t'JX* Xf7x> • S?x!7D — 

01886, •)XXh7*-H, 
-f > D — F 3 

01773, U>*->, ;U-fX *h'J-F 
5 



01803, A— U>F>, 7-n-9yH 
H9-fy 1 



02164, -n.-h>, itn XhU-h 
81 



02193, ^xxh>, tr^3> t;u d 

— F 26 



